Iranian election interference: When you’re broke, at least be flashy

How Iran’s influence operations playbook targeting US elections has – and hasn’t – changed over time

Iranian election interference: When you’re broke, at least be flashy

Share this story
THE FOCUS

Banner: IGRC Quds Force Commander Esmail Qaani speaks at a ceremony commemorating the anniversary of the killing of former commander, Major General Qasem Soleimani, at the Imam Khomeini Grand Mosque in Tehran, January 3, 2024. (Source: Reuters Connect/Morteza Nikoubazl/NurPhoto)

Two recent federal indictments draw a stark, long-running contrast between Russia and Iran’s tactics and capabilities when it comes to conducting foreign information manipulation and interference (FIMI) operations.

On September 4, 2024, the US Department of Justice unsealed an indictment of two employees of the Russian state-controlled media organization RT for a sprawling conspiracy to covertly fund and bolster a media network in the United States. Over the course of ten months, RT funneled nearly $10 million to a recently established conservative media company, TENET Media, which subsequently published nearly two thousand videos on polarizing social and political issues. TENET made waves through hiring prominent right-wing commentators such as Tim Pool, Benny Johnson, and Dave Rubin, receiving 16 million views on YouTube alone (not including platforms like Rumble, where its content was popular and remains accessible).

Three weeks later, the DOJ announced indictments Iranians for a ‘hack-and-leak’ operation targeting the Trump campaign. Though as stunning as the Russian indictments in terms of its significance, the Iranian operation couldn’t have been more different in terms of cost and tactics. While Iran indictment only directly names three Iranian nationals, a domain name cited in the indictment (mailerdaemon.online) has been linked to the prolific, well known group ‘Charming Kitten’ – aligning with prior attributions made by Microsoft and others. According to the indictment, Charming Kitten began focusing on the Trump campaign in earnest in May 2024, and within a month was attempting to leak hacked material from multiple Trump campaign officials to the media and individuals associated with the Biden campaign. Charming Kitten has also reportedly attempted to hack members of the Biden administration. However, given the group’s long history of espionage, that does not mean that it intended to launch a similar campaign against Democrats.

The Russian and Iranian operations were miles apart in other ways, too: whereas the TENET Media operation involved millions of dollars moved through shell companies in Turkey, the United Arab Emirates, and Mauritius, the Iranians behind Charming Kitten used their well-worn talent of impersonation and leveraging of breached accounts to worm their way into Trump campaign infrastructure.

In parallel to all of this, the FBI announced in March 2024 that it was seeking information on an alleged Iranian plot to kill US officials. In July 2024, more details emerged, with the New York Times reporting that government agencies were tracking a potential Iranian plot against former president Donald Trump. By September 2024, the Trump campaign publicly acknowledged it had been briefed on an Iranian plot to assassinate him.

The Iranian hack-and-leak operation provides a benchmark for how the country’s FIMI operations have evolved over the past decade, seemingly emulating others and finding what works under increasing pressure from tech companies and the limits of Iranian actors.

Create an audience

As the DFRLab reported in 2018, Iran first received public attention that August for its FIMI operations when Meta disclosed the takedown of over six hundred pages, groups and accounts, including the likely IRGC-affiliated, fictitious media organization Liberty Front Press. While the Iranian operations received heightened attention – and platform enforcement – in the wake of controversies over Russia’s Internet Research Agency (IRA), Iran had long used false personas and fake websites to harass pro-democracy and women’s right activists. In 2019 and 2020, Meta, Google, and Twitter announced additional takedowns of large inauthentic accounts pushing pro-Palestinian, anti-American, anti-Saudi memes and stories.

By 2022, however, Meta had found that Iranian operations had declined in attempted reach, shifting tactics toward smaller campaigns targeting specific groups. While not asserting a particular cause, this shift coincided with a series of sanctions designations and domain seizures targeting Iranian FIMI actors and infrastructure, as well as increased enforcement from online platforms. Whereas Iranian operations were able to cumulatively reach about two million followers in a group of inauthentic accounts removed in January 2019, subsequent disclosures would describe substantially smaller audiences and more targeted to regional neighbors and rivals.

Iranian covert social media influence operations – at times linked to the Islamic Revolutionary Guard Corps’s Qods Force and the state-controlled Islamic Republic of Iran Broadcasting (IRIB) – were often second only to Russian operations in terms of audience and the number of inauthentic accounts employed by them. One departure, again in contrast to TENET Media, was that external indications such as ad expenditures suggest that Iran is less willing or able to put significant money behind pushing inauthentic content; the largest amount of advertising expenditures disclosed by Meta was less than $30,000.

Be flashy

If Iran was potentially winding down its investment in long-term social media campaigns by the time of the 2020 general election, it found new success in simple, brazen stunts that exploited political divisions and courted press attention through creating controversies.

Beginning in August 2020, according to a DOJ indictment, the Iranian cybersecurity company Emennet Pasargad conducted a campaign to sow distrust in state elections systems and to intimidate voters. This campaign would repeatedly make national news in the US and have lasting repercussions. While Emennet Pasargad sought to breach state elections websites – and was able to obtain voter records in one case – it achieved substantially more attention through impersonating the militant right-wing group known as the Proud Boys to spread a hoax video purporting to show election fraud through the submission of fake absentee ballots, as well as send tens of thousands of emails threatening violence against registered Democrats. These actions exploited, fed into, and fostered backlash related to partisan political fights against mail-in ballots, broad fears on the security of elections infrastructure, and lingering social tension after the George Floyd protests. Emennet Pasargad also worked behind the scenes to contact Republican officials, the Trump campaign, and the White House, claiming that the Democratic Party was planning to exploit cybersecurity vulnerabilities in election systems to submit fake ballots.

Iran’s FIMI efforts did not end on election day 2020. As the Trump campaign continued to contest the outcome of the election that December and in January 2021, a website and social media accounts branded as “Enemies of the People” published death threats and personal information targeting elected officials, employees of voting system companies, and Supreme Court justices. The FBI and CISA attributed the campaign to “Iranian cyber actors.”

Whereas Iran’s prior covert social media operations elicited tepid public responses, Emennet Pasargad’s threats, fabrications, and breaches received substantial media attention and federal response. Moreover, the actual, but limited, breach of an election system fed into legitimate fears about the security of election systems; the hoax video continues to be claimed as evidence for election denialism. Emennet Pasargad never showed more than a basic level of competence in hacking, but it knew how to push Americans’ buttons.

Unsurprisingly, a federal indictment didn’t deter Emennet Pasargad from what it likely saw as a successful strategy. Between 2020 and 2022, the group conducted hack-and-leak operations using false flag personas against Israeli entities and the Mujahadeen-e-Khalq, an exiled Iranian opposition group. Additionally, in 2023, Meta announced a takedown of hacktivist false flag personas tied to Iran that had claimed to have hacked organizations in Israel, Bahrain, and France, which Microsoft linked to Emennet Pasargad. Similar tactics were used in response to the 2022 protests in Iran, when a cut-out persona was used to selectively leak and shape a narrative around hacked emails to discredit human rights advocates via Telegram.

Go with what you know

Compared with covert social media accounts like the Liberty Front Press network and the Proud Boys persona, the more recent hack-and-leak operations and salacious trolling tactics have been more successful for Iran, with presumably less financial cost, upfront preparation, or risk of failure. When caught, they have also served to bolster the international reputation as a sophisticated actor in cyber operations, creating an impression that Iran can use offensive cyber operations for retaliation and deterrence.

To be sure, Iranian actors continue to engage in covert social media operations, disseminating memes and producing content aligned with the Islamic Republic’s priorities and geopolitical interests. Less covertly, Iran continues to invest in spreading its message through the IRIB’s English-language channel, Press TV. The budget of Iran’s state broadcaster, which Meta has linked to covert social media campaigns of Liberty Front Press, was even tripled in the most recent budget.

Researchers and tech companies continue to find and remove covert Iranian FIMI. Most recently, OpenAI announced it had banned a set of accounts that were using ChatGPT to generate content for five websites that posed as progressive and conservative news outlets, publishing on topics such as Gaza, Israel, and the US presidential election. Despite being explicitly named in public reports, those sites continue to actively publish seemingly original (though potentially still AI-generated) articles on a near daily basis. However, adding to the perception that building an audience is increasingly difficult, Microsoft and OpenAI asserted that the sites did not receive “significant social media amplification” and lacked “meaningful audience engagement.”

For example, one named site first linked to Iran by the Election Integrity Partnership, EvenPolitics, began publishing in November 2020 and had posted 2,043 articles by October 1, 2024. EvenPolitics runs as a general interest political blog covering issues of the day, including critical articles on both Democrats and Republicans, and even calls for the overthrow of the Islamic Republic in an article on the 2022 protests. However, EvenPolitics also publishes a disproportionate amount of criticism of Israel in comparison to its other foreign policy coverage. While the blog exposes a view count, it would appear that the site attempts to fake popularity through incrementing the counter by a factor of seventeen for each page view. The most popular article on Saudi and UAE influence over the Trump administration received less than a thousand actual views, aligning with the characterization of the sites as marginal. Incidentally, the AI generated sites were once again hosted through the Iran-linked company MonoVM, which repeatedly shows up in Iranian influence operations, including Enemies of the People.

By any count, the recent Trump campaign breach brought more attention and bolstered public perceptions of Iranian capabilities than a site like EvenPolitics. Enemies of the People and the Proud Boys hoaxes also did not require the slow process of building a brand and audience to create reach for Iran’s message. At the time of writing, a Twitter/X account for EvenPolitics had only eight followers, while its backup account had just two followers.

External factors likely constrain Iran’s capabilities in that regard. With fierce competition for attention on social media, fictitious pages and personalities often turn to advertisements or fake followers to boost their reach and apparent prominence. Whereas Russia has spent hundreds of thousands of dollars in advertising to amplify fake pages according to disclosures from Meta, as well as millions to hire well-known political commentators, Iran appears to have spent a fraction of that – between Meta’s disclosures, less than a hundred thousand dollars.

Iranian actors suffer substantial barriers overall toward accessing the global financial system. IRIB and its English-language subsidiary PressTV have faced more than a decade of US and EU sanctions as well as broadcast license restrictions. These measures have likely constrained Iran’s recruiting and funding cutouts, unlike how RT was able to fund Tenet Media.

Moreover, covert social media influence operations have a short shelf life after they are exposed and taken down. Meanwhile, tech companies are paying much more attention and creating more barriers for inauthentic accounts compared to 2016. It is difficult to imagine Iranian FIMI operations spending hundreds of thousands of dollars in scarce foreign funds to create and amplify accounts or groups that could disappear in a moments’ notice.

Instead, Iran can attract attention to its message through flashy or high-impact incidents, such as website defacements, creating noise, or salacious hack-and-leaks. Enemies of the People, a simple website, and a few dollars in hosting fees can get more attention if it pushes the right buttons than a faceless website like Liberty Front Press.

Remain persistent

What does not appear to have changed is Iran’s strategic goals. While the US intelligence community has assessed that Iran has sought to undermine former President Trump’s chances of re-election, it has also asserted that Iran seeks to “fuel distrust in US political institutions and increase social discord,” similar to Russia and China’s strategy to exacerbate political polarization and weaken the United States, while pushing messages aligned with their political goals.

Charming Kitten clearly intended to damage Trump’s chances by leaking campaign material, spending weeks trying to attract the attention of American reporters, starting with POLITICO, the New York Times, and the Washington Post, then when ignored, even contacting progressive Substack writers. During the 2022 midterm election, Election Integrity Partnership even found Iran-linked accounts boosting progressive politicians and ActBlue fundraising pages for Democratic campaigns.

However, Iranian FIMI operations also play both sides to fuel discord and division, in line with the US intelligence community’s assessment. In adopting the Proud Boys persona, especially to make threats against Democrats and claim election fraud, Emennet Pasargad played on outrage over President Trump’s apparent unwillingness to criticize the group. The hoax video, and attempt to spread stories of fake absentee votes, fed into conspiracies on the right over election rigging. Iran was able to stoke divisions on both sides.

Two newer persona sites disclosed by Microsoft, “Nio Thinker” and “Teorator,” demonstrate how Iran continues to try to exploit culture wars issues and political divisions. Nio Thinker caters to a left-leaning US audience, publishing political commentary opposing former President Trump, criticizing the Biden administration’s support for Israel, supporting LGBTQ+ rights, and defending reproductive rights, as well as articles aligned with Iranian reformist politics. On the other hand, Teorator promotes conspiracy theories on election rigging, immigration fears, attacks on LGBTQ+ rights, and accusations that Democratic politicians are a “fifth column” for Hamas. It is notable that the sites are willing to criticize Hamas, Hezbollah, and the Iranian regime in the course of seeding partisan attacks.

EvenPolitics, Nio Thinker, Teorator, and a broader network of persona news sites continue to publish  articles despite being exposed. However, their seemingly AI-generated content appears to receive very little traffic, a far cry from the millions of followers of Liberty Front Press. Even if generative AI has made it substantially easier to create new content for FIMI sites, especially for non-English speakers, it has not made it easier yet to build an audience and create public controversy. Iran’s determination to leverage any and all new tools to its strategic interests, however, remains unchanged.


Cite this essay:

Simin Kargar, “Iranian election interference: When you’re broke, at least be flashy: When you’re broke, at least be flashy,” Digital Forensic Research Lab (DFRLab), October 18, 2024,